DNS Security

I just had a realization. Earlier today, I phoned a hosting company to get a DNS record updated for my client. I've never spoken to anybody at that company, ever. Nobody at my client shares my first name.

"admin.client.org needs to be pointed to 255.255.255.255, and registration.client.org needs to be pointed to 111.111.111.111."

"Thanks."

Not 5 minutes later, root servers started returning the updated IP.

I think there might be a security hole big enough to drive a truck through in this production setup. This company doesn't even host the application (that's at another company) - they just control the DNS records.

I think there might be a security hole big enough to drive a truck through in this production setup. This company doesn't even host the application (that's at another company) - they just control the DNS records.

This is why my employer insists on hosting their own DNS. This is why they insist on having their domain registrations 'locked' at all times (well, except right before a transfer). And, this is why they're careful about their registrar selection.

And, yes, when we've tried other registrars (which we occasionally do from time to time, to get a feel for our options), we've occasionally had experiences like this. Generally, it results in us moving the domain to a different registrar very quickly (at least once, we started the process with the registrar less than 24 hours later.)